Attest Actions uploaded artifacts

[ferferga]

Hello!

What is expected

It would be great if we could attest directly artifacts uploaded by actions/upload-artifact by passing, for instance, the artifact-id output to this action.

Why is this needed?

Although this action now supports wildcards as subjects, which is good for software that outputs multiple artifacts (for instance, a pipeline building ffmpeg usually outputs ffprobe, ffplay and ffmpeg), sometimes the build artifact is a single piece but with multiple file dependencies (software with dlls or web applications with chunk splitting and multiple .js bundles), so you want to sign it all "as a whole", not as individual files.

Current workaround

Right now, a good workaround for this would be to zip or tar all the files and sign the compressed output, and then upload it as an artifact, so consumers of the software get the same file that was signed. However, that creates a double compressed file, which is not always convenient and annoying, but there's no way to avoid GitHub Actions Artifacts API to upload artifacts as zip.

Hence, it would be awesome to directly attest those zips/artifact ids that GitHub Actions Artifacts provides.

[ferferga]

The release of v2.0.0 improves this in some way, since now a single attestation could be created of a group of files. However, still not 100% the original request.

[bdehamer]

@ferferga is your goal to create an attestation which references the archive created by actions/upload-artifact, or one which references each of the constituent files contained in the upload archive?

[ferferga]

@bdehamer The former, a reference to the archive created.

[bdehamer]

@ferferga I updated the upload-artifact action so that it will output the digest of the archive that is created. This means that you can now string together the upload-artifact and attest-build-provenance actions with something like this:

- name: Upload build artifact
  id: upload
  uses: actions/[email protected]
  with:
    path: "dist/*"

- uses: actions/attest-build-provenance@v2
  with:
    subject-name: artifact.zip
    subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}

[ferferga]

@bdehamer This is awesome, thank you very much! Would be great if this is documented somewhere though? Probably more referenciable than this issue. I can make a PR if desired.

[bdehamer]

The upload-artifact release with this feature just went out so I wanted to come update this issue. Will work to get an example added to the README.

[ferferga]

I'll leave this open then, feel free to close when you have ticked all the checks internally.

Thank you very much again for the quick implementation and updates!